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When quantum communication networks proliferate they will likely be subject to a new type of 
attack: by hackers, virus makers, and other malicious intruders. Here we introduce the concept of 
"quantum malware" to describe such human-made intrusions. We offer a simple solution for storage 
of quantum information in a manner which protects quantum networks from quantum malware. 
This solution involves swapping the quantum information at random times between the network 

\& • and isolated, distributed ancillas. It applies to arbitrary attack types, provided the protective 

<^^> operations are themselves not compromised. 
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£ ■ I. INTRODUCTION 

Quantum information processing (QIP) offers unprecedented advantages compared to its classical counterpart!. 
Quantum communication is moving from laboratory prototypes into real-life applications. For example, quantum 
communication networks ("quantum internet"—) have already been completed, and even commercialized 3 . Efforts to 
^-j- ■ protect quantum information flowing through such networks have so far focused on environmental (decoherence) 
J> ' and cryptographic (eavesdropping) "attacks" . Quantum error correction has been developed to overcome these 
^sD ■ disturbances^^. 

Malware (a portmanteau of "malicious software"), familiar from classical information networks, is any software 
developed for the purpose of doing harm to a computer systemt This includes self-replicating software such as 
viruses, worms, and wabbits; software that collects and sends information, such as Trojan horses and spyware; software 
that allows access to the computer system bypassing the normal authentication procedures, such as backdoors, and 
more. In view of their strategic importance, when quantum information networks become widespread, it is likely that 
deliberately designed malware will appear and attempt to disrupt the operation of these networks or their nodes. We 
call the quantum version of these types of attacks quantum malware. 

Quantum malware is a new category of attacks on quantum information processors. While it shares the "intelligent 
design" aspect of eavesdropping in quantum cryptography, one cannot assume that its perpetrators will attempt to 
minimally disturb a QIP task. Instead, while quantum malware will try to remain hidden until its scheduled launch, 
its attack can be strong and deliberately destructive. Moreover, generally it should be assumed that malware is able 
C7^ to attack at any point in time and target any component and part of the quantum devices in a quantum network. 
Quantum malware may appear in the form of a quantum logic gate, or even as a whole quantum algorithm designed 
and controlled by the attackers. In comparison with classical information processing, there are more ways to attack 
in QIP, because quantum states contain more degrees of freedom than their classical counterparts. 

Here we propose a simple scheme to protect quantum memory in quantum information processors against a wide 
class of such malware. This scheme, while not foolproof, dramatically reduces the probability of success of an attack, 
under reasonable assumptions, which involve strengthening the defenders relative to the attackers. We note that if 
attacker and defender have exactly the same capabilities (including knowledge, e.g., of secret keys), a defense is likely 
to be impossible. Therefore, the question becomes, how much must one add to the defenders' capabilities, or subtract 
from the attackers', in order to have a secure network? The protocol we propose here to defend against quantum 
malware provides a possible answer to this question. 
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II. CAN QUANTUM MALWARE EXIST? 



An early no-go theorem showed that it is not possible to build a fixed, general purpose quantum computer which 
can be programmed to perform an arbitrary quantum computation^ . However, it is possible to encode quantum 
dynamics in the state of a quantum system, in such a way that the system can be used to stochastically perform, 
at a later time, the stored transformation on some other quantum system. Moreover, this can be done in a manner 
such that the probability of failure decreases exponentially with the number of qubits that store the transformation 9 . 
Such stochastic quantum programs can further be used to perform quantum measurement3i2iii*i£. Thus it is entirely 
conceivable that quantum malware can be sent across a quantum information network, stored in the state of one or 
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more of the network nodes, and then (stochastically) execute a quantum program or measurement. Either one of these 
eventualities can be catastrophic for the network or its nodes. In the case of a maliciously executed measurement 
the outcome can be an erasure of all data. In the case of a quantum program one can imagine any number of 
undesirable outcomes, ranging from a hijacking of the network, to a quantum virus or worm, which replicates itself 
(probabilistically, due to the no-cloning theoremi&ii) over the network. 



III. QUANTUM MALWARE MODEL AND ASSUMPTIONS 



While there is no limit to the number and character of possible malware attacks, they must all share the same 
fundamental characteristic: they comprise a set of elementary operations, "quantum machine-language" , such as 
quantum logic gates and measurements. It is this simple observation, which also guided the early concept of the 
circuit model of quantum computing 15 , that allows us to consider a general model of quantum malware, without 
resorting to specific modes of attack. We thus model quantum malware at this machine-language level. Clearly, 
this captures all "high-level" types of attack, since these must, by necessity, comprise such elementary operations. 
The operations can be unitary gates U(t) driven by a time-dependent Hamiltonian H(t), and/or measurements, 
taking place while a QIP task is in progress. We denote the series of malicious operations by the superoperator 
M{{\i) ), where \i) is an arbitrary basis state in the Hilbert space in which a qubit (one of K) is embedded. 

This notation includes measurements, as well as "leakage" operations that couple the two states of any qubit with the 
rest of its Hilbert space. For example, M({|z)(j|}) may have the structure of a quantum completely positive mapi&. 
This captures the most general type of quantum malware possible. The details of such quantum malware operations, 
i.e., the structure of M({|z)(j|}), are in general known only to the attackers, and we will not presume or need any 
such knowledge. 

In order to protect against malware, in classical information processing one must assume that there is a means by 
which to determine, or at least estimate, a time interval 5 within which the malware is off, so that malware-free data 
can be copied (backed up). For example, when one installs a firewall, or when one applies an anti- virus program, 
one must assume that these tasks themselves are malware-free. Similarly, we will assume that the quantum malware 
attack occurs in relatively short bursts, and that there are periods during which there is no attack. We note that it 
is in the interest of the attackers to remain hidden, or at least not to launch a continuous attack. For, otherwise, the 
defenders may simply decide that it is too risky to engage in any kind of activity, thus defeating the purpose of the 
attackers. 



IV. NETWORK OPERATIONS PROTOCOL 



Although the classical backup method is not directly applicable in the case of quantum information - because of 
the no-cloning theoremiii4 - the basic idea of assuming malware-off periods while copying suggests an analogous 
mechanism for protecting quantum information against quantum malware. We note that the assumption that the 
attack is switched off every once in a while is not only reasonable for the sake of the adversary's purpose of maintaining 
an element of surprise, but is common also to quantum cryptography. For example, a probabilistic protocol for 
quantum message authentication (essentially a "secure quantum virtual private network") assumes that the sender 
and receiver are not subject to attacks by a third party at least while sending and measuring quantum states^. 

The protocol we describe below is deterministic and is designed to protect quantum information over time. The 
networks we consider comprise K nodes, which can either be the whole network or a part thereof. Each node contains a 
quantum computer. The network is used for the transmission of quantum information. Hence the nodes are connected 
via quantum and classical channels. The quantum channels are used for tasks requiring the transmission of quantum 
states, such as quantum cryptography 1 -. The classical channels are useful, among other things for teleportation 19 . 
Henceforth, the terms "online" / "offline" applied to a network node mean that this node is connected/unconnected to 
the network. The defenders have access to three types of qubits, or quantum computers: (i) Data qubits, which can be 
either online or offline; (ii) Decoy qubits, which are online when the data qubits are offline, and vice versa; (hi) Ancilla 
qubits, which are always offline. In Table 1 we compare the assumptions we make about the respective capabilities 
of the defenders and attackers of the network. With the exception of the limitations listed in Table 1, the attackers 
are bound only by the laws of physics. Both defenders and attackers have access to clock synchronization, 20 , which 
enables the defenders to make use of their set of secret network on-times. 

One can envision any number of different methods by means of which the task of secure distribution of the network 
on-times to the defenders can be accomplished, including classical^i*^ and quantum secret sharing protocolsS^i 2 ^, 
which are procedures for splitting a message into several parts so that no subset of parts is sufficient to read the 
message, but the entire set is. It is essential to the success of the protocol that only trusted parties are recipients. 
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The secret set {T;} is stored off-line by the defenders, and is never copied onto a computer that is accessed by the 
network. This provision is meant to preclude the attackers from ever gaining access to the times {Ti}, even if at some 
point they successfully (remotely) hijack a network node. 



Capabilities of the defenders 


Capabilities of the attackers 


Have access to the secret set of network switch- 
on times 

This secret set is stored off-line by the 
defenders, and is never copied onto a computer 
that is accessed by the network. 


Do not have access to the network switch-on 
times {T t }f =1 , even if at some point they 
successfully (remotely) hijack a network node. 


Can implement very fast communication across 
the network during the real (as opposed to 
decoy) network on-times. 


Cannot discriminate between legitimate and 
decoy activity on the network. 


Can quicldy replacing the "data" quantum 
computers on their respective network nodes 
with "decoy" quantum computers. 


Cannot interfere with the replacement of the data 
and decoy computer. 



Table 1. Relative capabilities of defenders and attackers. 



Our network protection protocol is given in Figure^ After the preparatory steps (1) and (2), the protocol cycles 
through steps (3)- (6), with the next network on-times {Tj} chosen from the previously distributed secret set. The 
protocol is further illustrated in Figure [21 



V. CONDITIONS FOR SUCCESS OF THE DEFENSE PROTOCOL 



We note that if a malware attack ever takes place during the network-on times, replacement of data qubits by 
decoy qubits, decoy-reset, or SWAP operations, the protocol fails and the network must be completely reset. We can 
estimate the probability, p, of this catastrophic occurrence as follows. A reasonable strategy is to pick the times {Tj} 
from a uniformly random distribution. The malware designers, on the other hand, may choose their attack interval 
times {Oj} from some other distribution, not known to us. Let us characterize this latter distribution by a mean 
attack interval 9 and mean attack length 5. Let the total time over which the protocol above is implemented be T. 
Let us also designate the operating times within a single cycle of our protocol by r (i.e., t = to + 2ts + tr). Consider 
a particular attack window of length 5 at some random time. The probability qi that the network is off during this 
window is q± = [T — (5 + t)]/T, since there are two network-on intervals, one before and one after the attack window, 
and each must be a distance r/2 away from this window. In other words, the excluded interval is <5+2(r/2). Now, since 
the network-on times are randomly distributed, the probability that this same attack window does not overlap any 
network-on interval, after M such intervals, is qu ~ <Zi (this is an approximation since one should actually exclude 
overlapping intervals^, but if the intervals are sufficiently sparse such overlaps can be neglected). The probability of 
at least one (catastrophic) overlap of this attack window with a network-on interval is p = 1 — <7m • Letting M = cT, 

where < c < 1 is a constant, we have p — > 1 — exp[— c(5 + t)] , so that as long as c and r (under our control) , and 5 
(under the attackers' control) are sufficiently small, we have p w c(S + r) > 0. Another way of analyzing the optimal 
strategy is to note that there are, on average, a total of A = T/(6 + S) attack intervals, so that the expected number 
of catastrophic overlaps is Ap = [T/(8 + <5)]{1 — [1 — (S + t)/T] m }, and this number must be <C 1 for our protocol to 
succeed. Given an estimate of the attackers' parameters, 9 and S, and given that the state of technology will impose a 
minimum t, we can use this result to optimize T and M. A simple estimate can be derived in the physically plausible 
limit 5, t <C T, where we can linearize the above expression and obtain the condition 



M<(6 + 9)/(6 + t). 



(1) 
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(l)f<0: 
Preparation step. 

Everything offline. The state 

|n(0> = ®^|^» 1 > fl |o f > A 

is prepared locally. Superscripts d, a, and A denote 
data, ancilla, and decoy, respectively; i enumerates 



nodes, each of the states 



i \ d 

\w,) 



denotes an entire 



node data-state (of n t data qubits), and each of the 



states 0, 



denotes an entire node ancilla or 



decoy-state (of n t qubits). Local preparation means 

that all operations are done at the nodes, without 
any communication (classical or quantum) between 
nodes. Therefore at this point there is no risk of any 
malware infection and we can be confident that 

| £2(0) y is a clean (malware-free) state. 



Long decoy, "confuse the enemy" step. 

The network remains online using the decoy qubits. 
During this long interval malware can continue to 
be transmitted across the network, store itself on the 
decoy qubits, or even attack the decoy qubits, via 

the operator M 2 : 

I CXJl -T s -T R )) = \0) d \y i ) a (M 2 M 1 \ 0) A ) . 

Since the data has been swapped onto the ancillas, 
to which the malware has no access, the attack is 
harmless: the network state is safely stored in the 
ancillas (which may at this point be entangled 
across the network). Since data and ancilla qubits 
were entangled only during the execution of the 
SWAP gate, and we have assumed that the malware 
had no time to attack the data qubits prior to the 
SWAP operation, there is no mechanism for the 
malware to infect the ancillas. Conversely, our 
protocol fails if this assumption does not hold. To 
err on the side of caution, we may erase and hence 
reset the data qubits during this step. 



(2)0<t<T o : 

Real communication step. 

The network is turned on and all data 
qubits are online. There is 
communication across the network, 
operations are performed, and qubits 
at different nodes may become 
entangled. The network evolves into 
the state 



) d \o)"\o) A 



a, A 



and 



l^ ))=l^ 

Here |0>^=€^|0 ( ) 

J x ¥ 1 ) is the (possibly entangled) 

state of all data qubits in the entire 

network. We assume that T is 

sufficiently short so that the malware 
has no time to interfere with the 

operation ® f =1 \ \f/ i ) d H> | x ¥ l ) d . 
I.e., we assume (since network-on 
times are secret and T is short) that 

the state is completely 

malware-free, and contains only 
legitimate information. 

(5)T 1 -T s -T R <t<T 1 : 

SWAP and reset step. 

We perform another SWAP between 

the ancillas and data qubits (T s ) , 

then replace the decoy qubits by the 
data qubits so the latter are online, 

and reset the decoy qubits (T R ) . 

This erases any and all malware. We 
assume that the malware is not 
operating during this time. Then: 

|Q(T 1 )) = |'P 1 )' i |0)' , |0) A . 



(3) T <t<T +T s : 
Short decoy step. 

The network remains online, but real 
activity on the network is turned off and is 
replaced by decoy activity. Thus all data 
qubits from step (2) are taken offline, and 
are replaced by online decoy qubits, whose 
sole purpose is to fool the attackers into 
believing that the network is still active. A 

local SWAP operation, ®f =l S i , where 

n I \ ^ I \ a I \ ^ I \ a 

s i\ x i) Wi) = l?«7 F«) . 

is performed between the data and ancilla 
qubits. This results in: 

|n(r o+ r 5 )> = |0» 1 > fl (M 1 |0> A ), 



where |0) d =®£ 1 |0 I .) <i 



Note that we have allowed for malware to 

act on the decoy state via the operator Mi . 
But, since malware has so far not had a 
chance to interact with the legitimate data, 
there is no risk of contamination of the 
ancilla qubits. 



{6)Ti<t<Ti+T : 

Real communication step. 

The network is turned on and all data qubits 
are online again. We perform a new 
operation across the network: 

|ft(r 1 +T )) = |'F 2 )>) fl |o) A . 

We again assume that this operation is fast 
and that the time ZJ is unknown to the 
attackers, so that there is no malware attack. 



FIG. 1: Network operations protocol. 



If we further assume r < S <C 6, we find the intuitively simple result that the number of network-on times cannot 
exceed the ratio of the mean attack interval to the mean attack length. 

We note that one might suspect that our protocol is in fact more vulnerable than suggested by the arguments above, 
given that an adversary might hijack quantum repeaters installed between network nodes and tweak the data (this 
scenario assumes quantum optical communication). However, we point out that there exists an alternative scheme 
to the use of quantum repeaters: in order to overcome photon decoherence and loss one may use a spatial analog of 
the quantum Zeno effect and "bang-bang decoupling" , which involves only linear optical elements installed at regular 



5 



(D 



o 

o 
o 



o 

o 
o 



(<0 



(4) 
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T Q + t s <t<T l -t s -T R 



data qubits 
offline; SWAP 



(2) 



(3) 



o o 

o o 

0<t<T Q 

o o 



T Q <t<T 0+ t s 



(6) 
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o o 



data qubits 
offline; SWAP 







data qubits 
online 



v V 

decoy qubits only online; reset data and 
malware transmitted & attacks decoy qubits 



FIG. 2: Schematic of network operations protocol. Depicted in the top six parts is a simple network with K = 2 nodes and one 
data qubit in each node. For simplicity we do not depict other parts of quantum computers where the malware would reside. 
Parts (l)-(6) denote the first six steps in the protocol, starting from the first network cycle. The green dots (top) are data 
qubits, the yellow dots (middle) are ancillas, and the blue dots (bottom) are decoy qubits. Initially (1), the system is offline. 
When data qubits are connected by straight lines (2), the system is online. The curly lines (2) represent entangled qubits. The 
time at which the network is turned on is random and unknown to the malware makers, and the duration too short for them 
to interfere. In the ultrashort step (3) the network is off and the state of data and ancilla qubits is swapped, as represented by 
the vertical straight lines. The decoy qubits may be under attack. (4) Decoy qubits are subject to a malware attack. Whatever 
the attack, in (5) the data and decoy qubits are reset and the data qubits swapped with the ancilla qubits. Red data qubits 
(6) indicate the end of a network cycle, and the start of a new cycle. Bottom part: Timeline of the protocol. 



intervals along an optical fiber—. Such a system cannot be hijacked because of its distributed nature. An attacker 
could at most remove, or tamper with, some of the linear optical elements, thus degrading the performance of the 
quantum noise suppression scheme. 



VI. DETECTION OF AN ATTACK, AND INCREASING THE ROBUSTNESS OF THE DEFENSE 

PROTOCOL 

A considerable improvement in the robustness of the stored quantum information is possible by replacing the SWAP 
operation with an encoding of each data qubit into a quantum error-detecting codei. Not only does this enable the 
application of quantum fault tolerance methods 4 , it also allows the defenders to check whether the data has been 
modified, via the use of quantum error detection. However, since this does not allow us to change our assumptions 
about the relative weakness/strength of attackers and defenders, we do not here consider this possibility in detail. 
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We further note that it is possible to slightly relax the assumption that the malware makers cannot interfere during 
the real communication step (2). Indeed, it is possible to let the malware attack and/or store itself on another set 
of qubits connected to the network, as long as these qubits are not involved in storing the legitimate state being 
processed across the network. When executing the short decoy step (3), we must then assume that this other set of 
qubits does not interact with the ancillas. 

VII. IMPLEMENTATION OF SWAP GATES 

We now show how the SWAP gates needed in our protocol can be implemented in a variety of physical systems. 
Recall that above we distinguished between malware operating on the qubits' Hilbert space, and malware that includes 
operations on a larger Hilbert space ("leakage"). The implementation of Si for malware M({<Ti d }), where di d are the 
Pauli matrices on the data qubits id, without leakage, is direct. Assume that the Heisenberg interaction Oi d -&i a between 
the ith data qubit and its ancilla is experimentally controllable, as it is in a variety of solid-state quantum computing 
proposals such as quantum dots2&. Then the SWAP gate is Si = exp(i^P idia ), where Pi d i a — \{<J id ■ a ia + 1) = 
/3=o(\ a )i d ® ( a \) i s an operator exchanging between the ith data qubit and its ancilla, and the gate time 

t q (a — O, S, R) is on the order of a few picoseconds^. The SWAP gate can be implemented in a variety of other 
systems, with other Hamiltonians, in particular Hamiltonians of lower symmetry^LSi. 

If the attackers design malware capable of causing leakage into or from the larger Hilbert space with dimension N, 
the situation will be different. Generally, the malware superoperator M is a function of transition operators of the 
form \a) i {fl\, where the case of a, /3 > 1 represents states other than the two qubit states |0) and |1). If both a and 
j3 are or 1, the operation can be expressed in terms of Pauli matrices, e.g., |0) (1 = u x + ia v ; if only one of either a 
or P is or 1, the operation represents leakage to or from the qubit subspace. Let us define a generalized data-ancilla 

exchange operator, P idia = J2a,P=o(\ a )i d (@\) ® (\P)i a ( a \)- Tnen p ui a \ a )i d \P)i a = \ a )i a and P i d i a = I> tne 
identity operator. Therefore the generalized SWAP operator is 

S i =exp(i^P td J=iP idia , (2) 

and it follows directly that S^ M({id})S = M({i a }), where S = Yii^l- The exchange operator Pi d i a can be imple- 
mented as a controllable two-body Hamiltonian in multi-level systems. 

For a fermionic system such as excitonic qubits in quantum dots^iS or electrons on the surface of liquid helium 34 , a 
qubit is defined as |0) = /q |vac), |1) = f\ |vac), where /q, f\ are fermionic creation operators and |vac) is the effective 
vacuum state (e.g., the Fermi level). The most general attack uses an operator (a Hamiltonian or measurement) that 
can be expressed in terms of Fi d = (/g id ) k (fl id ) 1 (fo.i d ) m (fi,i d ) n (where k,l,m,n are integers) acting on the ith data 
qubit. These operators can be shifted to the corresponding ancilla, via control of a two-body fermionic Hamiltonian. 
Namely, SjFi d Si = Fi a , where the SWAP operator for the ith fermionic particle reads Si = SfSj, where 

S q t — ex P[^ {fl,i d fq,i a ~ f\,i a fq,id)\i 

with q = 0, 1. This can be proven easily using the identities 

e -Hflf.-flU)f^ e Hflf.~flU) = cos0/] +sin0/t, 
e -4><Jlfa-flfi)f de <Kflfa-flf<d = cos^/d + sin^/a, 

which follow from the Baker-Hausdorff formula e~ aA Be aA = B - a[A, B] + ^{A, [A, B]] - .... The relation S}F id Si = 
Fi a implies that the action of any "fermionic malware" is shifted by the SWAP gate from the data to the ancilla 
particle. The very same construction works also for bosonic systems, such as the linear-optics quantum computing 
proposal 35 . There a qubit is defined as |0) = b\ |vac), |1) = b[ |vac), where b\,b\ are bosonic creation operators. 
The relations we have just presented for fermions hold also for bosons, provided one everywhere substitutes bosonic 
operators in place of the fermionic ones. 

VIII. CONCLUSIONS 

What sets quantum malware apart from the environmental and eavesdropping attacks is that the latter are typically 
weak (in the sense of coupling to the quantum information processing (QIP) device), while the former can be arbitrarily 
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strong, can attack at anytime, and can target any part of a quantum device. Indeed, a malicious intruder, intent on 
disrupting information flow or storage on a quantum network, will resort to whatever means available. In contrast, 
the QlP-environment interaction will be a priori reduced to a minimal level, and an eavesdropper will attempt to go 
unnoticed by the communicating parties. For this reason one cannot expect quantum error correction to be of use 
against quantum malware, as it is designed to deal with small errors. The same holds true for quantum dynamical 
decoupling^ or other types of Zeno-effect like interventions 3 ^. Decoherence-free subspaces and subsystems 3 ^, on the 
other hand, do not assume small coupling, but do assume a symmetric interaction, which is unlikely to be a good 
assumption in the case of quantum malware. We further note that of all possible types of quantum malware, as far 
as we know only quantum trojan horses have been considered previously, in the quantum cryptography literature. In 
particular, in the context of the security proof of quantum key distribution, it was shown that teleportation can be 
used to reduce a quantum trojan horse attack to a classical one 39 . Finally, we note that the attacks we are concerned 
with are on the quantum data, not the quantum computer software; the latter is generally itself a list of classical 
instructions, and can be cloned. 

Experience with classical information processing leaves no doubt that the arrival of quantum malware - malware 
designed to disrupt or destroy the operation of quantum communication networks and their nodes (quantum comput- 
ers) - is a matter of time. When this happens, overcoming the problem of quantum malware may become as important 
as that of overcoming environment-induced decoherence errors. In this work we have raised this specter, and have 
offered a relatively simple solution. Our solution invokes a network communication protocol, wherein trusted parties 
operate the network at pre-specified times, and quickly swap the information out of the network onto a quantum 
backup system. Such a protocol slows the network down by a constant factor, and therefore does not interfere with 
any quantum computational speedup that depends on scaling with input size. The success of our protocol depends 
strongly on the ability to perform very rapid swapping between data and ancilla qubits. This suggests the importance 
of the design of fast and reliable swapping devices. This can be done for a variety of physical systems, as shown above. 
As long as the swapping can be done sufficiently fast, and as long as there exists a mechanism for secure distribution 
of the network on-times only among trusted parties, we have shown that the quantum network will be unharmed by 
a very general model of quantum malware. On the other hand, if these assumptions are not satisfied and an attack 
is successful, one must unfortunately reset the network, pending the development of a "quantum anti-virus program" 
that would clean infected data. The latter is a very interesting open research problem. Our protocol is similar to 
"paranoid" classical protocols employed in military systems that are under attack, which are shut down a great deal 
of the time, and then are suddenly opened up in order to perform a useful task. However, there is a distinct quantum 
aspect to our protocol, which is that it preserves entanglement across the network. In this sense our protocol, while 
being a conceptually simple generalization of established classical methods, offers a genuine step forward towards 
quantum network security against quantum malware. 
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